1. Field of the Invention
This invention relates generally to packet based communications using deep packet inspection (DPI).
2. Description of Related Art
In its existing form, DPI is a sort of computer network packet processing that examines data and/or header part of a packet as it passes an inspection point, searching for non-protocol compliance, viruses, spam, intrusions or predefined criteria defining a protocol or application to decide what if any content specific processing needs to be performed. DPI is also sometimes called Content Inspection or Content Processing. DPI is in contrast to shallow packet inspection (usually called just packet inspection) which just checks the lower-layer header portion of a packet (usually up to Layer 3 of the OSI model).
DPI devices have the ability to look at Layer 2 through Layer 7 of the OSI model. This includes headers and data protocol structures as well as the actual payload of the message. The DPI will identify and classify the traffic based on a signature database and the information extracted from the packet, allowing finer control than classification based only on header information.
A classified packet can be, among others, redirected, marked/tagged (see QoS), blocked, rate limited, and of course reported to a reporting agent in the network. DPI devices first identify packet DPI flows (for example defined by IP 5-tuple) and then perform DPI on packets within each flow, allowing identification and control actions based on accumulated single or multiple flow information.
DPI allows phone and cable companies to readily know the type of applications a user is receiving online, from e-mail, to websites, to sharing of music, video and software downloads as would a network analysis tool. This is the approach that cable operators and ISPs may use, for example, to dynamically allocate bandwidth resources to match requirements of a particular application that is passing through their networks. Thus, for example, a low-latency resources can be allocated to a VoIP call versus web browsing.
DPI is also increasingly being used in security devices to analyze flows, compare them against policy, and then treat the traffic appropriately (i.e., block, allow, rate limit, tag for priority, mirror to another device for more analysis or reporting). Since the DPI device looks at each individual packet, it can be used by ISPs to provide or block services on a user by user basis.
Unfortunately, in its existing form, DPI is not able to operate in a manner that can identify an application from a single packet as multiple packets, often in both directions, or even multiple flows may need to be examined to avoid false-positive identification. Thus, there is a need for a DPI system and method that enable the identification of an application from a single packet, such as a ping packet.
The foregoing objects and advantages of the invention are illustrative of those that can be achieved by the various exemplary embodiments and are not intended to be exhaustive or limiting of the possible advantages which can be realized. Thus, these and other objects and advantages of the various exemplary embodiments will be apparent from the description herein or can be learned from practicing the various exemplary embodiments, both as embodied herein or as modified in view of any variation that may be apparent to those skilled in the art. Accordingly, the present invention resides in the novel methods, arrangements, combinations, and improvements herein shown and described in various exemplary embodiments.